Chief Executive Officer of DSPL Nigeria Limited, one of the recently licensed data protection compliance organisations in Nigeria, Mr. Tunde Balogun, in this interview speaks on development in the sector. Emma Okonji presents the excerpts:
The Nigeria Data Protection Regulation (NDPR) came into force last year, and given the emergence of new companies playing in that field, it seems an industry is being built around data protection. What’s your view about data protection in Nigeria?
Data protection is data protection everywhere in the world. Yes, a lot of us always say because the European Union General Data Protection Regulation (GDPR) came into existence and is the most holistic and robust data protection regulation in the world because it takes the interest of all the member countries, but GDPR tends to be the gold standard. So, most other data protection regulation in other countries in the world tend to toe the path of GDPR. But it doesn’t mean that it’s copied, because data protection remains data protection anywhere in the world. So NDPR is a very good data protection regulation. The Piper, which is a non-governmental organisation that ranks data protection regulation of each country all over the world, gives them colour: Green is for strong regulation; Amber is for moderate, and I think Red is for weak regulation. NDPR was awarded Amber, which is moderate. There are some advanced countries in the world that their regulation was marked Red and they are countries that are more advanced than our country Nigeria. So if you want to look at it, NDPR in terms of comparison to other countries’ regulation, is decent. In terms of the structure of the implementation, it is unique in the world. It is unique in the sense that it creates that layer of licensed firms to help organisations for implementation. There is nowhere in the world where that is done. That uniqueness is a masterstroke, very ingenious by the immediate past Director-General of NITDA, Dr. Isa Pantami. Though I don’t like to personalise things, I would like to mention this that the current Minister for Communications and Digital Economy and his team that came up with that, actually demonstrated ingenuity. That uniqueness, I can tell you as the convener of the Association of Licensed Data Protection Compliance Organisations of Nigeria, is not anywhere in the world. All other African countries are looking at our model. So that makes NDPR unique.
In terms of the content, it is moderate, but in terms of the structure and how to implement it, that makes it quite unique in the world, which is very ingenious.
Do you see data protection becoming a big sub-sector in Nigeria in the future?
Data protection is the foundation of digital economy. I could remember in the 90s when I used to come to Nigeria, and I used to talk about cloud and a lot of people used to think I was a mad man. And I used to tell them don’t worry, it is inevitable. It is not going to be an option; I told them everybody is going to move to cloud. So it’s the same thing with data protection, it’s inevitable. Digital economy, especially in a country like this where you have high level of poverty and high level of illiteracy, disruptive technology is the only way out and that hinges on digital technologies, and digital technologies sit on data protection. Data protection is the foundation in the real sense that if data protection in any jurisdiction is not well implemented and taken seriously, any digital project you put on it will collapse. So, now going back to your question. Time will tell, but the signs that I see are good. There are a few peculiarities as you know it in our country and I think those peculiarities are due to lack of capacity. Data protection all over the world is new; more new in Nigeria and I can tell you that we have got only a few people that have gotten the professional certification, but they haven’t got the hands-on experience yet. So, they haven’t got the practical experience, they have gone for the certification exam as a data protection officer. But apart from that, the capacity in Nigeria is very light. So because of that, you can see some of the people in the industry, because they don’t have an in-depth understanding of what data protection is, they want to take it from the main focus, or they are diluting it with something else. But the future is good. The most important thing is for all stakeholders in the data protection ecosystem in Nigeria not to make it elitist. That’s my fear.
What is your view about the contents of Nigeria Data Protection Regulation and to what extent do think they can address key challenges in data usage?
The contents of the regulation and the data protection bill are alright. They all hinge on the United Nations Declaration on Human Rights and on article 17 and 15, which Nigeria is a signatory to. So the contents are right, but it’s always down to implementation operationalisation, which I fear that it might become elitist. You see, one of the reasons why that fear is there is because of the uniqueness again of the framework of data protection in Nigeria that you have these licensed DPCOs and the three categories of firms that the current regulator, which is NITDA, has licensed are either you an ICT firm with experience in cyber-security data protection, or you are a law firm, or you are an auditing firm. That is fair enough because the principles of data protection, in my opinion, is the legal component, which probably I would like to say accounts for about 30 per cent. The remaining 70 per cent is technology, the remediation that fixes technology. So, among the 72 licensed firms by the regulator, you have some that are law firms, you have some that are ICT firms, and you have some that are auditors.
So why your fears about the likelihood of making NDPR an elitist thing in the future?
My fear about the NDPR becoming an elitist thing in the future is that if you look at those professionals in the ecosystem in Nigeria, you have the ICT firms, which are aggressively progressive, then you have lawyers also coming to play technology and their profession is conservative. As the convener of the association of DCPOs, I have an overall picture of what each and everyone is doing and also with our constant engagements with the regulator, you can see the operationalisation playing out among those skill sets. Even with the recent data protection draft bill, which we were part of the review committee, by the time we shared it among our members to review, we discovered that the comments by the law firms were tilted towards the conservative point of view, not from technology. But that is the beauty of it, because as I said the focal point of data protection is the citizen, which is called the data subject. That is the person you want to protect. So what we tell people in DSPL, especially to novice about data protection, is that the quick way to get your head around data protection is that your organisation pays us, but the fact is that we are not looking after your interest. We are looking after the interests of your customers, your data subjects. So, we are making sure you are the one paying us for the services but it’s your customers that we want to make sure you do not abuse. And if you abuse your customer, we will report you to the regulator, even though you are the ones paying for the service. That is how data protection works all over the world. I remember what happened during one of our seminars at the International Association of Privacy Professional, which is the biggest association of privacy professionals in the world. I have been a member for about seven to nine years. At the seminar which held about four or five years ago, the data protection officer for Facebook, Stephen Bowman, was saying that Mark Zuckerberg is his boss who pays his salary, but he said his loyalty is to Facebook users, not to Zuckerberg. To make sure that Zuckerberg is not abusing the rights of Facebook, even though it’s Zuckerberg that is paying his salary. So that’s what I tell companies that yes, you are paying us but the loyalty is to your customers.
DSPL Nigeria Limited came on board recently, to further enhance data protection compliance. What are some of the key objectives of DSPL?
DSPL was created in February this year as a special purpose vehicle strictly to cater for data protection in Nigeria. Even though the data protection expertise among the three directors of DSPL is over 60 years, our individual experience in data protection abroad, if combined together spans several years. But the company was only created, as I said, as a special purpose vehicle and we were registered in February this year strictly to help organisations comply with data protection regulation. We got a licence to become a data protection compliance organization (DPCO). We passed all the criteria that were set out by the National Information Technology Development Agency (NITDA) before they could give us a licence. So, that was what DSPL was created for, strictly to help both public and private organisations to implement the provisions of Nigeria data protection regulation.
What specific role is DSPL playing in the data protection industry right now?
The role that DSPL is playing in the industry right now is that, as a strategy, we are doing a lot of advocacy, actually in the public sector, public institutions. Why is because the biggest processes of personal data, anywhere in any country in the world is always government. Government data subject is the population. If you are in the private sector, your population is your customers. So if you only have 20,000 customers, that is your entire population, but government controls the data of all citizens from the local government to state and to federal level. So any public institution, any ministry, department agency, from local government or whatever, will tend to handle personal data and modern private sector.
So, our strategy at DSPL is to focus on public sector, because that’s where most breaches are likely going to happen from. So most of our toolkits and most of our products, most of our services are targeted at the public sector. We have products for private sector, don’t get me wrong, but are we are just saying that most of our efforts, most of our strategy is to service public sector because by nature, and by default, they tend to be the biggest processors of personal information and most likely places where breach might happen.
As a DPCO, you must have noticed how organisations in Nigeria are complying with the NDPR, what is your assessment of the level of compliance?
Thank you very much for that question. I remember having this discussion with some of the stakeholders on the government side when we were not invited to a stakeholders’ meeting. When I said ‘we’ I mean the association, and I told them, we are the experts, we are the practitioners for data protection in Nigeria. NITDA, which is the regulator doesn’t have access to personal information of the organisations, we are the ones that are going round because of our licence. We are the ones that can go to any company, and that company would allow us to access their database. So, if we call ourselves experts, I don’t think we are wrong.
And what I told the stakeholders is the question you are asking me now. And that is the fact that in Nigeria, if anybody wants to ask about how are our organisations handling personal data, the only group of people that can answer that question rightly are the DPCOs, not the government, not NITDA, not the Minister of Communications and Digital Economy, and not even the National Identity Management Commission (NIMC) that has the identity data of all Nigerians. So thank you for that question. It shows that you understand the structure of our data protection system in Nigeria.
